Bug 214655 - BUG: unable to handle kernel paging request in __dquot_free_space
Summary: BUG: unable to handle kernel paging request in __dquot_free_space
Status: RESOLVED CODE_FIX
Alias: None
Product: File System
Classification: Unclassified
Component: ext4 (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: fs_ext4@kernel-bugs.osdl.org
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-10-09 01:16 UTC by 6201613047
Modified: 2021-10-20 17:00 UTC (History)
1 user (show)

See Also:
Kernel Version: 5.15-rc-ksmbd-part2
Tree: Mainline
Regression: No


Attachments
poc (44.12 KB, text/plain)
2021-10-09 01:16 UTC, 6201613047
Details

Description 6201613047 2021-10-09 01:16:02 UTC
Created attachment 299143 [details]
poc

Find it by something like Syzkaller and I think this is a BUG.
And POC is attached here.
Looking forward to your reply.

-----------------------------------
EXT4-fs error (device loop0): ext4_empty_dir:3011: inode #12: block 80: comm syz-executor.0: bad entry in directory: rec_len is smaller than minimal - offset=0, inode=0, rec_len=0, size=4096 fake=0
EXT4-fs warning (device loop0): ext4_empty_dir:3013: inode #12: comm syz-executor.0: directory missing '.'
BUG: unable to handle page fault for address: fffffbfff6b3012c
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 9fffeb067 P4D 9fffeb067 PUD 9ffe0f067 PMD 0 
Oops: 0000 [#1] SMP KASAN PTI
CPU: 3 PID: 26685 Comm: syz-executor.0 Not tainted 5.14.0+ #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:85 [inline]
RIP: 0010:memory_is_nonzero mm/kasan/generic.c:102 [inline]
RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:128 [inline]
RIP: 0010:memory_is_poisoned mm/kasan/generic.c:159 [inline]
RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]
RIP: 0010:kasan_check_range+0x13d/0x200 mm/kasan/generic.c:189
Code: 83 c0 01 48 89 d8 49 39 d8 74 0f 41 80 38 00 74 ee 4b 8d 04 0c 4d 85 c0 75 4b 48 89 eb 48 29 c3 e9 42 ff ff ff 48 85 db 74 2e <41> 80 39 00 75 32 48 b8 01 00 00 00 00 fc ff df 49 01 d9 49 01 c0
RSP: 0018:ffff88812dd8f4c8 EFLAGS: 00010202
RAX: fffffbfff6b3012c RBX: 0000000000000002 RCX: ffffffffb2e0a1f6
RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffffffb5980967
RBP: fffffbfff6b3012e R08: 1ffffffff6b3012c R09: fffffbfff6b3012c
R10: ffffffffb598096a R11: fffffbfff6b3012d R12: ffff88812dd8f5d8
R13: ffff8881ac734b28 R14: 0000000000010000 R15: ffffffffb5980907
FS:  00007f0f2b188700(0000) GS:ffff8889d7380000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff6b3012c CR3: 0000000156d9a001 CR4: 0000000000770ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
 atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:511 [inline]
 queued_spin_lock include/asm-generic/qspinlock.h:82 [inline]
 do_raw_spin_lock include/linux/spinlock.h:187 [inline]
 __raw_spin_lock include/linux/spinlock_api_smp.h:143 [inline]
 _raw_spin_lock+0x66/0xd0 kernel/locking/spinlock.c:154
 spin_lock include/linux/spinlock.h:363 [inline]
 __dquot_free_space+0x211/0x7c0 fs/quota/dquot.c:1874
 dquot_free_space_nodirty include/linux/quotaops.h:376 [inline]
 dquot_free_space include/linux/quotaops.h:381 [inline]
 dquot_free_block include/linux/quotaops.h:392 [inline]
 ext4_free_blocks+0x1430/0x1940 fs/ext4/mballoc.c:6084
 ext4_remove_blocks fs/ext4/extents.c:2488 [inline]
 ext4_ext_rm_leaf fs/ext4/extents.c:2672 [inline]
 ext4_ext_remove_space+0x299c/0x3590 fs/ext4/extents.c:2920
 ext4_ext_truncate+0x195/0x200 fs/ext4/extents.c:4382
 ext4_truncate+0xa2b/0xe80 fs/ext4/inode.c:4268
 ext4_evict_inode+0x8af/0x13c0 fs/ext4/inode.c:287
 evict+0x2d3/0x5b0 fs/inode.c:586
 iput_final fs/inode.c:1662 [inline]
 iput fs/inode.c:1688 [inline]
 iput+0x4ba/0x710 fs/inode.c:1674
 dentry_unlink_inode+0x314/0x4d0 fs/dcache.c:376
 d_delete fs/dcache.c:2505 [inline]
 d_delete+0x152/0x1a0 fs/dcache.c:2494
 vfs_rmdir fs/namei.c:3984 [inline]
 vfs_rmdir+0x438/0x570 fs/namei.c:3948
 do_rmdir+0x1c2/0x3a0 fs/namei.c:4032
 __do_sys_unlinkat fs/namei.c:4211 [inline]
 __se_sys_unlinkat fs/namei.c:4205 [inline]
 __x64_sys_unlinkat+0xcc/0x100 fs/namei.c:4205
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4698d9
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0f2b187c48 EFLAGS: 00000246 ORIG_RAX: 0000000000000107
RAX: ffffffffffffffda RBX: 000000000077bf80 RCX: 00000000004698d9
RDX: 0000000000000200 RSI: 0000000020000040 RDI: 0000000000000005
RBP: 00000000004d26c2 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000077bf80
R13: 0000000000000000 R14: 000000000077bf80 R15: 00007ffdbd022e40
Modules linked in:
CR2: fffffbfff6b3012c
---[ end trace 337a23afd90599f5 ]---
RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:85 [inline]
RIP: 0010:memory_is_nonzero mm/kasan/generic.c:102 [inline]
RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:128 [inline]
RIP: 0010:memory_is_poisoned mm/kasan/generic.c:159 [inline]
RIP: 0010:check_region_inline mm/kasan/generic.c:180 [inline]
RIP: 0010:kasan_check_range+0x13d/0x200 mm/kasan/generic.c:189
Code: 83 c0 01 48 89 d8 49 39 d8 74 0f 41 80 38 00 74 ee 4b 8d 04 0c 4d 85 c0 75 4b 48 89 eb 48 29 c3 e9 42 ff ff ff 48 85 db 74 2e <41> 80 39 00 75 32 48 b8 01 00 00 00 00 fc ff df 49 01 d9 49 01 c0
RSP: 0018:ffff88812dd8f4c8 EFLAGS: 00010202
RAX: fffffbfff6b3012c RBX: 0000000000000002 RCX: ffffffffb2e0a1f6
RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffffffb5980967
RBP: fffffbfff6b3012e R08: 1ffffffff6b3012c R09: fffffbfff6b3012c
R10: ffffffffb598096a R11: fffffbfff6b3012d R12: ffff88812dd8f5d8
R13: ffff8881ac734b28 R14: 0000000000010000 R15: ffffffffb5980907
FS:  00007f0f2b188700(0000) GS:ffff8889d7380000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff6b3012c CR3: 0000000156d9a001 CR4: 0000000000770ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
netlink: 72 bytes leftover after parsing attributes in process `syz-executor.7'.
==================================================================
BUG: KASAN: use-after-free in owner_on_cpu kernel/locking/rwsem.c:605 [inline]
BUG: KASAN: use-after-free in rwsem_can_spin_on_owner kernel/locking/rwsem.c:626 [inline]
BUG: KASAN: use-after-free in rwsem_down_write_slowpath+0xade/0xfe0 kernel/locking/rwsem.c:1026
Read of size 4 at addr ffff88812eaf4534 by task syz-executor.0/26792

CPU: 3 PID: 26792 Comm: syz-executor.0 Tainted: G      D           5.14.0+ #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x4c/0x64 lib/dump_stack.c:106
 print_address_description.constprop.9+0x21/0x150 mm/kasan/report.c:256
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report.cold.14+0x7f/0x11b mm/kasan/report.c:459
 owner_on_cpu kernel/locking/rwsem.c:605 [inline]
 rwsem_can_spin_on_owner kernel/locking/rwsem.c:626 [inline]
 rwsem_down_write_slowpath+0xade/0xfe0 kernel/locking/rwsem.c:1026
 __down_write_common kernel/locking/rwsem.c:1262 [inline]
 __down_write_common kernel/locking/rwsem.c:1259 [inline]
 __down_write kernel/locking/rwsem.c:1271 [inline]
 down_write+0xd2/0x120 kernel/locking/rwsem.c:1516
 inode_lock include/linux/fs.h:786 [inline]
 chown_common+0x1ea/0x400 fs/open.c:675
 do_fchownat+0xef/0x180 fs/open.c:709
 __do_sys_lchown fs/open.c:734 [inline]
 __se_sys_lchown fs/open.c:732 [inline]
 __x64_sys_lchown+0x7a/0xc0 fs/open.c:732
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4698d9
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0f2b166c48 EFLAGS: 00000246 ORIG_RAX: 000000000000005e
RAX: ffffffffffffffda RBX: 000000000077c038 RCX: 00000000004698d9
RDX: 0000000000000000 RSI: 000000000000ee00 RDI: 00000000200002c0
RBP: 00000000004d26c2 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000077c038
R13: 0000000000000000 R14: 000000000077c038 R15: 00007ffdbd022e40
netlink: 72 bytes leftover after parsing attributes in process `syz-executor.7'.

Allocated by task 26666:
 kasan_save_stack+0x19/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 __kasan_slab_alloc+0x68/0x80 mm/kasan/common.c:467
 kasan_slab_alloc include/linux/kasan.h:254 [inline]
 slab_post_alloc_hook mm/slab.h:519 [inline]
 slab_alloc_node mm/slub.c:3206 [inline]
 kmem_cache_alloc_node+0xd2/0x200 mm/slub.c:3242
 alloc_task_struct_node kernel/fork.c:171 [inline]
 dup_task_struct kernel/fork.c:883 [inline]
 copy_process+0x1717/0x67c0 kernel/fork.c:2026
 kernel_clone+0xbd/0x970 kernel/fork.c:2584
 __do_sys_clone+0xde/0x120 kernel/fork.c:2701
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 26778:
 kasan_save_stack+0x19/0x40 mm/kasan/common.c:38
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:360
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free mm/kasan/common.c:328 [inline]
 __kasan_slab_free+0xe2/0x110 mm/kasan/common.c:374
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:1700 [inline]
 slab_free_freelist_hook mm/slub.c:1725 [inline]
 slab_free mm/slub.c:3483 [inline]
 kmem_cache_free+0x74/0x280 mm/slub.c:3499
 __put_task_struct+0x22a/0x4f0 kernel/fork.c:760
 put_task_struct include/linux/sched/task.h:113 [inline]
 delayed_put_task_struct+0x11d/0x160 kernel/exit.c:173
 rcu_do_batch kernel/rcu/tree.c:2508 [inline]
 rcu_core+0x555/0x14b0 kernel/rcu/tree.c:2743
 __do_softirq+0x17f/0x53f kernel/softirq.c:558

Last potentially related work creation:
 kasan_save_stack+0x19/0x40 mm/kasan/common.c:38
 kasan_record_aux_stack+0xa3/0xb0 mm/kasan/generic.c:348
 __call_rcu kernel/rcu/tree.c:2987 [inline]
 call_rcu+0x77/0x8f0 kernel/rcu/tree.c:3067
 put_task_struct_rcu_user+0x61/0x90 kernel/exit.c:179
 finish_task_switch+0x48e/0x670 kernel/sched/core.c:4854
 schedule_tail+0x7/0xa0 kernel/sched/core.c:4876
 ret_from_fork+0x8/0x30 arch/x86/entry/entry_64.S:280

Second to last potentially related work creation:
 kasan_save_stack+0x19/0x40 mm/kasan/common.c:38
 kasan_record_aux_stack+0xa3/0xb0 mm/kasan/generic.c:348
 __call_rcu kernel/rcu/tree.c:2987 [inline]
 call_rcu+0x77/0x8f0 kernel/rcu/tree.c:3067
 put_task_struct_rcu_user+0x61/0x90 kernel/exit.c:179
 finish_task_switch+0x48e/0x670 kernel/sched/core.c:4854
 context_switch kernel/sched/core.c:4943 [inline]
 __schedule+0x882/0x1710 kernel/sched/core.c:6287
 schedule+0xbd/0x250 kernel/sched/core.c:6366
 freezable_schedule include/linux/freezer.h:172 [inline]
 futex_wait_queue_me+0x24b/0x430 kernel/futex.c:2821
 futex_wait+0x1cb/0x620 kernel/futex.c:2922
 do_futex+0x337/0x17e0 kernel/futex.c:3932
 __do_sys_futex kernel/futex.c:4009 [inline]
 __se_sys_futex kernel/futex.c:3990 [inline]
 __x64_sys_futex+0x189/0x400 kernel/futex.c:3990
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff88812eaf4500
 which belongs to the cache task_struct of size 5576
The buggy address is located 52 bytes inside of
 5576-byte region [ffff88812eaf4500, ffff88812eaf5ac8)
The buggy address belongs to the page:
page:0000000082bf4bc1 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12eaf0
head:0000000082bf4bc1 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x200000000010200(slab|head|node=0|zone=2)
raw: 0200000000010200 dead000000000100 dead000000000122 ffff888100178b40
raw: 0000000000000000 0000000000050005 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88812eaf4400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88812eaf4480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88812eaf4500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                     ^
 ffff88812eaf4580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88812eaf4600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
   0:	83 c0 01             	add    $0x1,%eax
   3:	48 89 d8             	mov    %rbx,%rax
   6:	49 39 d8             	cmp    %rbx,%r8
   9:	74 0f                	je     0x1a
   b:	41 80 38 00          	cmpb   $0x0,(%r8)
   f:	74 ee                	je     0xffffffff
  11:	4b 8d 04 0c          	lea    (%r12,%r9,1),%rax
  15:	4d 85 c0             	test   %r8,%r8
  18:	75 4b                	jne    0x65
  1a:	48 89 eb             	mov    %rbp,%rbx
  1d:	48 29 c3             	sub    %rax,%rbx
  20:	e9 42 ff ff ff       	jmpq   0xffffff67
  25:	48 85 db             	test   %rbx,%rbx
  28:	74 2e                	je     0x58
* 2a:	41 80 39 00          	cmpb   $0x0,(%r9) <-- trapping instruction
  2e:	75 32                	jne    0x62
  30:	48 b8 01 00 00 00 00 	movabs $0xdffffc0000000001,%rax
  37:	fc ff df
  3a:	49 01 d9             	add    %rbx,%r9
  3d:	49 01 c0             	add    %rax,%r8
Comment 1 Jan Kara 2021-10-20 16:43:16 UTC
Thanks for report. I'll try to reproduce this in my test VM. I have recently merged some fixes for detecting corrupted quota files from Zhang Yi so maybe this is already fixed but let's see...
Comment 2 Jan Kara 2021-10-20 17:00:36 UTC
Indeed, I can reproduce the problem with current Linus' kernel but I cannot reproduce anymore with the fixes I have queued in my tree. Namely:

d0e36a62bd4c "quota: correct error number in free_dqentry()"
9bf3d2033129 "quota: check block number when reading the block in quota file"

So closing this as fixed.

Note You need to log in before you can comment on or make changes to this bug.